[pkg-horde] Bug#434045: security-bug informations for horde3 package

Gregory Colpart reg at evolix.fr
Sun Jul 22 07:06:48 UTC 2007 

Hello,

The package horde3 has XSS vulnerability (See CVE-2007-1473 and bug #434045).
Affected versions are:
- sarge version (3.0.4-4sarge4)
- etch version (3.1.3-4)
- tesing/unstable version (3.1.3-5)


Upstream patch is trivial
(http://bugs.horde.org/ticket/?id=4816):

8<----------------------------------
- } elseif (!empty($lang)) {
+ } elseif (!empty($lang) && NLS::isValid($lang)) {
8<----------------------------------


I prepared fixed packages:

- sarge version
http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge5.diff.gz
http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge5.dsc
http://gcolpart.evolix.net/debian/horde3/horde3_3.0.4-4sarge4_3.0.4-4sarge5.diff

- etch version
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch1.diff.gz
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4etch1.dsc
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-4_3.1.3-4etch1.diff

- unstable version
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.4-1.diff.gz
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.4-1.dsc
http://gcolpart.evolix.net/debian/horde3/horde3_3.1.3-5_3.1.4-1.diff

Note that I'm member of pkg-horde team but I'm not DD, then
I am waiting my sponsor upload unstable package.


If you want to test the vulnerability, you could go to:
http://<server>/horde3/?new_lang=%22%3E%3Cbody%20onload=%22alert%28'hello%20world'%29%3B
(I can provide you vulnerable URL in private if you want)


Information for the advisory:

8<----------------------------------
horde3 -- XSS vulnerability

Date Reported:
    ?? Jul 2007
Affected Packages:
    horde3
Vulnerable:
    Yes
Security database references:
    In Mitre's CVE dictionary: CVE-2007-1473
More information:

It was discovered that the Horde web application framework has a cross-site
scripting (XSS) vulnerability in framework/NLS/NLS.php, allows remote attackers
to inject arbitrary web script or HTML via the new_lang parameter.

The old stable distribution (sarge) this problem has been fixed in version 3.0.4-4sarge5.

For the stable distribution (etch) this problem has been fixed in version 3.1.3-4etch1.

For the unstable distribution (sid) this problem has been fixed in version 3.1.4-1.

We recommend that you upgrade your horde3 package.
8<----------------------------------


Regards,
-- 
Gregory Colpart <reg at evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/

More information about the pkg-horde-hackers mailing list